When a Citrix NetScaler is configured using a graphical interface a browser is used to connect to the Citrix NetScaler. Starting NetScaler release 10 a part of the configuration is migrated from Java Applets to HTML5, but most configuration are still depending on Java Applets.
When you open a more advanced configuration the Java Applet is loaded automatically., If it hangs at 1% “Downloading Applet…” you might want to read this article.If it hangs at 99% “Logging in” continue reading.
After loading the Java Applet and trying to log in the following error is raised.
In my case the Citrix NetScaler was placed in a different VLAN than my client was, the VLANs where separated by a firewall.
What is good to know is that for the normal GUI communication is done via TCP port 80 for non-secure (HTTP) or TCP port 443 for secure (HTTPS). The Java Applet communicates uses different ports: TCP port 3010 for secure or TCP port 3008 for non-secure .
Source: Communication ports used by Citrix Technologies [PDF]
To determine if your client could reach the port you can use Port Query GUI (provided by Microsoft – link). This standalone utility can verify if ports can be reached and tells you within seconds if this is the problem.
- Specify the destination IP or FQDN of the NetScaler IP (NSIP)
- Select query type Manually input query ports
- Ports to query: 80,443,3008,3010
- Protocol: TCP
- Click on Query
The query should return LISTENING for port 80+3010 for non-secure communication or 443+3008 for secure communication.
This example clearly shows that TCP port 3008 and 3010 are filtered by a firewall.
Was once an enthusiastic PepperByte employee but is now working at Citrix. His blogs are still valuable to us and we hope to you too.